Osquerybeat: Fix data_stream configuration, enforce the default values used before 8.6.0 #34246
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -23,6 +23,7 @@ import ( | |
|
|
||
| _ "github.com/elastic/beats/v7/x-pack/libbeat/include" | ||
| "github.com/elastic/beats/v7/x-pack/osquerybeat/beater" | ||
| "github.com/elastic/beats/v7/x-pack/osquerybeat/internal/config" | ||
| "github.com/elastic/beats/v7/x-pack/osquerybeat/internal/install" | ||
| ) | ||
|
|
||
|
|
@@ -74,14 +75,30 @@ func genVerifyCmd(_ instance.Settings) *cobra.Command { | |
| func osquerybeatCfg(rawIn *proto.UnitExpectedConfig, agentInfo *client.AgentInfo) ([]*reload.ConfigWithMeta, error) { | ||
| // Convert to streams, osquerybeat doesn't use streams | ||
| streams := make([]*proto.Stream, 1) | ||
|
|
||
| // Enforce the datastream dataset and type because the libbeat call to CreateInputsFromStreams | ||
| // provides it's own defaults that are breaking the osquery with logstash | ||
| // The target datastream for the publisher is expected to be logs-osquery_manager.result-<namespace> | ||
| // while the libebeat management.CreateInputsFromStreams defaults to osquery-generic-default | ||
| var datastream *proto.DataStream | ||
| if rawIn.GetDataStream() != nil { | ||
| // Copy by value and modify dataset and type | ||
| ds := *rawIn.GetDataStream() | ||
| ds.Dataset = config.DefaultDataset | ||
| ds.Type = config.DefaultType | ||
| datastream = &ds | ||
| } | ||
|
|
||
| streams[0] = &proto.Stream{ | ||
| Source: rawIn.GetSource(), | ||
| Id: rawIn.GetId(), | ||
| DataStream: datastream, | ||
| } | ||
|
|
||
| rawIn.Streams = streams | ||
|
|
||
| procs := defaultProcessors() | ||
|
|
||
|
There was a problem hiding this comment. I can't comment directly on this, but this block below can be removed: beats/x-pack/osquerybeat/cmd/root.go Lines 89 to 91 in b5246c4 That is trying to set an input type, which I don't think matters for osquerybeat. It is just adding an arbitrary There was a problem hiding this comment. yeah, don't remember the reason for this. can clean up later, separately from this more urgent fix There was a problem hiding this comment. I think it is a copy/paste error from one of the other Beats, agree this can be removed separately. |
||
| modules, err := management.CreateInputsFromStreams(rawIn, "osquery", agentInfo, procs...) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("error creating input list from raw expected config: %w", err) | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This works, but if the dataset or type ever becomes configurable it will break. That's probably unlikely though.